When multiple organisations need to collaborate on quality management, a shared challenge frequently arises: how to share structure, requirements and best practice whilst allowing each organisation to adapt the system to its own operations. Whether it involves a group with established HSEQ functions or collaboration between independent organisations, the goal is to strike the right balance between standardisation and local control.

Certain QMS has been developed precisely for this purpose, with a solution that makes it possible to build on a shared quality framework whilst each organisation retains ownership of its own quality management system.

In groups and larger organisations with dedicated HSEQ resources, established structures and extensive documentation in the management system typically already exist. The challenge is often to ensure that this content is accessible and straightforward to adopt across all parts of the organisation — across departments and business units.

In alliances and industry collaborations, the starting point is often different. Here, the collaboration typically consists of organisations with limited capacity to develop and maintain a fully functioning quality management system on their own. The need is therefore access to ready-made structures, templates and recommended working methods that can serve as a starting point within their own organisation.

Both situations require a solution that enables quality content to be shared in a structured way, whilst allowing each organisation to adapt the system to its own circumstances and responsibilities.

A central “master solution” is established, functioning as a shared quality framework with structure, templates and a recommended configuration for the quality management system. The content of the master solution is developed and maintained by a central HSEQ function or a working group with representatives from the various organisations.

Each company receives its own installation of Certain QMS, based on and integrated with the master solution. This provides a shared structure and content, whilst each company has its own users, its own data and full ownership of its own quality work.

In this way, multiple organisations can work within the same quality framework, whilst the system can be adapted to local operations.

Certain QMS consists of several modules for quality management. The master solution can contain ready-made configurations, structures and templates, for example for:

• Document structure and folder structure
• Processes and workflows
• Non-conformity handling and categorisation
• Risk analyses and risk templates
• Checklists
• Annual planners and scheduled activities

When a local installation is created, this configuration is copied from the master solution and used as the starting point for the organisation’s own quality management system.

Once the local installation has been established, the organisation is free to:

• Modify structures
• Adjust processes
• Add or remove content
• Adapt the system to its own operations

If improvements or changes are subsequently made to the master configuration, these can be transferred to local installations as required — but this is carried out as a managed update, initiated by the system administrator.

This gives the organisation full control over its own quality management system, whilst retaining the option to adopt improvements developed centrally.

For documents originating from the master, a simple and clear model is used for local adaptation:

The main body of the document is locked for editing, but a dedicated field is available for local clarifications and additions. When this is used, the document is referred to as an extended document.

In this way, the following are preserved:

• Shared wording and requirements in the main document
• Whilst local practice can be clearly and correctly documented

Example of a governing document where the main content is managed centrally, whilst local clarifications are added in a dedicated field as part of an extended document.

The master solution in Certain QMS thus supports two distinct needs:

• as a template for system configuration and quality structure, where local installations are built on a shared foundation
• and as a shared source for governing documents, with ongoing updates and clear handling of local adaptations

This provides both flexibility in system use and confidence that shared requirements and procedures can genuinely be kept up to date across organisations.

Certain QMS is a fully-featured quality management system with functionality for management processes, documentation, risk assessment, audit and more. The system also meets the requirements for an organisation-wide information security management system (ISMS).

This means that organisations can use Certain QMS to establish, follow up and document information security in a structured and transparent manner, without additional software or separate ISMS tools.

This article explains how you can use Certain QMS to establish and manage a complete ISMS. We walk through the relevant features of the system and describe what is included in terms of ready-made templates, supporting documentation and tools in our ISMS package.

• Establish an ISMS: Access ready-made procedures, policies and process models that can be adapted to your organisation.
• Plan and follow up: Use the annual planner functionality to plan activities and tasks, assign responsibilities and ensure that tasks are completed and documented.
• Assess risk: The risk module provides an overview and control, making it straightforward to follow up on actions.
• Manage data protection: The DPIA process supports the assessment of high-risk processing activities, and is linked to risk assessment and actions.
• Ensure compliance: The compliance module helps you document that requirements from legislation, standards and customers are being met.
• Document processing activities: The records of processing activities provide an overview of the organisation’s personal data processing, functioning as an integrated part of the ISMS.

An information security management system (ISMS) is a framework that helps organisations protect information systematically. It provides structure for how risks are identified, controls are put in place, security measures are documented and follow-up is carried out over time.

The main objectives of an ISMS:

• Information should always be confidential, accurate and available to those who need it
• Compliance with legal requirements, standards and internal guidelines

In the same way as a quality management system (QMS), an ISMS combines processes, routines, policies and documentation to give the organisation a clear framework.

An ISMS makes it possible to:

• Assess and manage risks relating to information
• Ensure that actions are followed up and documented
• Clarify roles and responsibilities for security
• Document compliance with standards and legal requirements
• Continually improve information security

By using Certain QMS as an ISMS, the organisation has all the necessary tools in one place — from document control and risk assessment to checklists, processes and audit — making implementation and follow-up clear and cohesive.

An ISMS gives management a systematic framework for documenting and following up that the organisation complies with legislation, regulations and both internal and external requirements relating to information security and data protection.

The main reasons for having an ISMS:

• Legislation and regulation: An ISMS makes it possible to document that the organisation complies with applicable laws and regulations, such as the Personal Data Act / GDPR and the NIS2 Directive for critical infrastructure, or sector-specific requirements.
• Standards and certifications: ISO 27001 and other international standards set requirements for the management of information security, and an ISMS provides a documented basis for compliance and any certifications.
• Customer expectations: More customers require their suppliers to manage information security systematically, and an ISMS provides documentation of this.
• Risk and vulnerability management: The system makes it possible to identify and manage risks relating to information, whilst follow-up and control are documented.
• Continual improvement: By establishing a systematic framework, the organisation can follow up on actions, document results and continuously improve its security level.

With an ISMS, organisations can demonstrate to both regulators and customers that they take information security seriously.

Certain QMS supports a process-oriented approach to management, meaning that information security work is organised around processes rather than functions or departments.

Information security work is established as a dedicated process area in which both main processes and sub-processes are modelled. This makes it easier to see the full picture of the work and where responsibility lies.

All documentation (procedures, guides, instructions, templates and more) is linked to the relevant activities in the process, and is also logically organised within a dedicated folder area for information security. Users can navigate via the processes or the folder structure.

All documents have full version control, and both documents and processes can be managed with role-based access, so that only authorised users see relevant content.

Certain QMS supports a process-oriented approach to management, meaning that information security work is organised around processes rather than functions or departments.

Information security work is established as a dedicated process area in which both main processes and sub-processes are modelled. This makes it easier to see the full picture of the work and where responsibility lies.

Annual planner for ISMS establishment.

Document template for summarising a completed DPIA.

Analysis template for DPIA.

A compliance register is an overview of requirements from legislation, standards and internal guidelines, linked to relevant documentation in the management system. In Certain QMS, the compliance register is one of many available features that helps the organisation maintain an overview and ensure compliance.

For ISO 27001 Annex A, all 93 controls are pre-registered in the system. Each control includes an explanation of what it entails and status fields indicating whether the requirement has been met. This makes it straightforward to use the register in audits, gap analyses and improvement work.

A ready-made template set for a GDPR article register can also be produced as part of the delivery.

Compliance register for Annex A ISO 27001.

Certain QMS supports the publishing of selected documents on internal or open portals. This enables employees, customers and partners to access relevant information without having to navigate the entire system.

This supports compliance by ensuring that all relevant parties always have access to correct and up-to-date documentation. In this way, requirements for compliance, training and internal control are met, whilst important processes and routines become transparent to all who need them.

Ready to install and use from day one

Our ISMS package is delivered pre-configured and installed on the customer’s own Certain QMS installation. Each package gives the organisation everything needed to establish, document and follow up an information security management system in line with ISO 27001 and GDPR:

• ISMS documentation: procedures, policies and process models
• Annual planner for establishment
• Annual planner for continual improvement
• Risk analysis templates for information security
• DPIA support with checklists, guidance and risk templates
• Compliance register for ISO 27001 and the option of a GDPR article register
• Document template for records of processing activities
• Full version control and role-based access for all documentation

The packages are ready to use from day one, but can be adapted to the organisation’s needs and existing processes.

Contact us for a demonstration and pricing.

To support the requirements for document control, internal control and quality in the healthcare sector, the eHandbook in Certain QMS covers the entire lifecycle of governing documents — from drafting, internal consultation and approval through to publishing, use and revision. The solution offers, amongst other things:

• Flexible and customised document templates for different types of procedures, guidelines and instructions, making documentation more consistent and easier to maintain.
• Approval workflows and clearly defined roles for who can edit, quality-assure, approve and publish documents.
• Advanced role and access management, which can be integrated with the organisation’s AD/Entra ID, so that employees are automatically granted access to the right content based on their role and department.
• Restriction of sensitive information, ensuring that certain content is only accessible to defined roles or user groups.
• HTML-based and searchable documents, combined with the ability to upload various file formats and link to external resources.
• Change summaries, giving users a quick overview of what is new or changed in a document.
• Reading lists with acknowledgement, where managers can require employees to read selected documents and have confirmation of completion recorded.
• Review deadlines and automatic notifications, ensuring that documents do not remain outdated without responsible parties being followed up.
• Public document portal for external publishing of selected documents, so that procedures, guidelines and other information can be shared online — without requiring a login.

Figures from the large healthcare organisations using the eHandbook in Certain QMS show that the solution is not a passive document archive, but a reference tool that is actively used by employees on a daily basis.

Usage data shows high levels of activity, with thousands of document views each day and a large number of unique users over time. This confirms the eHandbook’s role as a central working environment for governing documentation — for clinical staff, managers and support functions alike.

Examples of document scope and publishing:

Many organisations need to make parts of their documentation available to external users, whilst retaining full control over content, versions and publishing. With the public document portal, selected documents from the eHandbook can be published in a dedicated, open eHandbook portal that is accessible via a browser, with no login required. The documents continue to be maintained, approved and revised within the same solution before being published to the public portal.

In the healthcare sector, this is used, amongst other things, to share patient-facing procedures, information about services, collaboration routines with GPs and other stakeholders, and guidelines that are required to be publicly available. When documents are updated in the eHandbook, they are also updated automatically in the public portal, reducing the risk of outdated information being accessible externally.

The public document portal in Certain QMS thus enables secure public access to and sharing of documents, with full traceability and revision control maintained within Certain QMS.

Oslo University Hospital (OUS) was established in 2009 through the merger of Rikshospitalet, Ullevål University Hospital and Aker University Hospital. The hospital is the largest in Europe, with 24,000 employees.

OUS has used Certain QMS for effective document control since 2010, and demonstrates a mature and considered approach to the use of the eHandbook. With a document base running to tens of thousands of internal documents and daily use by many thousands of employees, the solution functions as a central knowledge platform across disciplines, roles and locations.

Usage is high throughout the year, with continuous lookups of documents that are directly integrated into both clinical and administrative day-to-day work.

At OUS, considerable emphasis has been placed on training in the use of the eHandbook, and a dedicated internal support function has been established to build user competence over time. Experience shows that the way in which support and guidance are provided has a significant bearing on whether employees become confident and independent in their use of the system.

Rather than completing tasks on behalf of users, the focus has largely been on explaining how different roles should work within the solution and how tasks are carried out correctly. This has contributed to a strong understanding of roles, higher quality in system use and a clear reduction in the number of support requests over time.

Usage statistics show that the eHandbook is used by many thousands of employees, with daily views of thousands of documents. Data from OUS also shows that the solution is not merely visited, but actively used throughout the year.

The figures indicate a high degree of engagement with the content, with employees navigating between pages, opening documents, using search and following the structure of the handbook — rather than retrieving individual documents in isolation.

Training is not, however, solely about learning to use the system itself — it is about ensuring that quality work is genuinely put into practice across the entire organisation. At OUS, the eHandbook is closely linked to e-learning courses and competence plans associated with different roles, so that employees receive training in both their responsibilities and work processes — not just in the features of the solution.

To maintain quality in document work, employees who are to be granted write access must complete mandatory training before access is granted. In addition, checklists within documents are used to support the correct completion of key tasks in day-to-day work, and a refresher shortly after training is recommended to ensure that knowledge is translated into practice.

The public document portal at OUS is not only used internally, but is also actively used by other actors in the healthcare sector. Healthcare professionals across the country can look up how OUS approaches various procedures, treatments and interventions, and use this as guidance in their own work. In this way, OUS effectively serves as a national reference for the design of procedures, the content of routines and professional practice across a wide range of areas.

This is closely connected to the role Oslo University Hospital plays in medical research and the training of healthcare professionals in Norway. As a university hospital, OUS contributes significantly to the development of professional standards, and through publicly available documentation this knowledge can be shared broadly across the sector — in a structured, quality-assured and up-to-date manner.

View OUS’s public eHandbook here: ehandboken.ous-hf.no

Taken together, the experiences from OUS demonstrate how the eHandbook can be used as an active tool for building competence, ensuring quality and enabling efficient operations — not merely as a place where documents are stored.

In complex organisations, effective document control is a prerequisite for good and efficient management.

Experience from the healthcare sector shows that the true value of the eHandbook is realised when it becomes a natural part of day-to-day work — where employees can easily find current routines and training is closely linked to the governing documentation.

Over time, this contributes to shared practice, fewer errors and a stronger basis for improvement — and experience from Oslo University Hospital and others demonstrates that the right structure, clearly defined roles and active use deliver lasting benefits for the organisation as a whole.

The F3 Frontline Workers plug-in is a software extension for Certain QMS, developed specifically for organisations using Microsoft 365 F3 licences.

The Microsoft F3 licence restricts users from opening and working with Office files stored in the quality management system. The Certain QMS plug-in provides a solution that ensures straightforward access to the documents employees need.

F3 licences are designed specifically for employees who work entirely in the cloud. This means that all files they work with are stored in Microsoft’s cloud — either OneDrive or SharePoint.

A problem therefore arises when employees with F3 licences need to open or work with Microsoft files that are not stored in Microsoft’s cloud, but in a specialist system such as Certain QMS.

Word document in Certain QMS: With a Microsoft F3 licence, users cannot open files stored in the quality management system.

A well-established quality management system loses some of its value when employees are unable to read or work with the files created to maintain quality across the organisation’s deliveries.

The F3 Frontline Workers plug-in ensures that the quality of our product is maintained as organisations transition to cloud-based solutions for their employees.

Employees working in the cloud do not have the software required to open Microsoft files in the quality management system..

We are aware that this challenge applies to many more IT systems than Certain QMS alone.

If your organisation is experiencing similar problems with other specialist systems or management systems, please get in touch. We are happy to provide guidance and solutions to help you move forward.

A prerequisite for succeeding with quality management and improvement is that all employees have quick and easy access to internal documentation and internal reporting systems.

That is why we have chosen to make the functions that all employees need to use available in SharePoint.

Adopting “yet another IT system” can be demanding for employees who do not have direct responsibility for developing the organisation’s QHSE processes. At the same time, the entire organisation should benefit from the QHSE work carried out within the quality management system.

With SharePoint as the work surface, employees can search for internal procedures and processes, and report non-conformances without leaving the intranet. Notifications in SharePoint and shortcuts to reading lists ensure that information reaches all employees.

Quick and easy access to up-to-date and relevant information is the key to improvement – and that is what we can offer with SharePoint as the work surface.

All types of non-conformances, suggestions for improvement or reports of serious concerns can be registered by employees directly in SharePoint.

Case handlers for non-conformances and other types of cases receive notifications in SharePoint showing the status of the following:

• Number of new cases awaiting assignment to a case handler
• Number of own cases currently being processed
• Number of tasks and measures not yet closed
• Number of cases that have exceeded the internal deadline

• Search for processes
• Navigate the process landscape
• Read and click on activities within processes

Employees who produce or are responsible for the organisation’s processes receive dedicated notifications showing how many processes have not been approved or have passed their revision deadline.

• Search for documents
• Read documents
• Confirm reading

Employees who produce or are responsible for the organisation’s documentation receive dedicated notifications showing how many documents are awaiting approval or consultation, or have passed their revision deadline.

• Display of a personalised reading list applicable to the employee’s role or position
• Notification showing the number of unread documents in the reading list

Employees who carry out risk assessments in Certain QMS receive notifications showing the number of their own risk analyses currently in progress, and the number of risk-reducing measures that have not yet been closed.

Certain QMS is a digital solution designed to be used in different ways and for different tasks, depending on the role a person holds within the organisation. For everyone with management or QHSE responsibilities, Certain QMS will be an important professional and governance system.

For employees who work directly within the system – for example, producing documentation, carrying out risk analyses or handling non-conformances – SharePoint will also be useful for notifications and status updates.

The personalised section of SharePoint displays new cases, unread documents or deadlines for revision and case handling. This gives those responsible a quick overview of tasks awaiting attention and a practical shortcut directly to the work surface in Certain QMS.

The user account in SharePoint is linked to the user account in Certain QMS, so information and access permissions will always be tailored to each individual employee and their role.